Executive Summary Publication Date: March 2026 The VOID#GEIST malware campaign represents a new frontier in multi-stage, script-based cyberattacks, delivering advanced Remote Access Trojans ( XWorm , AsyncRAT , and Xeno RAT ) through a highly modular and evasive framework. By leveraging legitimate tools such as embedded Python runtimes and Microsoft binaries, and employing fileless shellcode injection, VOID#GEIST is designed to evade traditional security controls and comp

Executive Summary On February 17, 2026, the Federal Bureau of Investigation (FBI) initiated an investigation into suspicious cyber activity detected on an internal system containing sensitive surveillance and investigative information. The affected system, while unclassified, holds law enforcement sensitive data, including returns from legal processes such as pen register and trap and trace surveillance, as well as personally identifiable information (PII) related to subject

Executive Summary A newly identified campaign orchestrated by the Iranian state-sponsored advanced persistent threat group MuddyWater (also known as Seedworm and attributed to Iran’s Ministry of Intelligence and Security, MOIS) is actively targeting U.S. organizations with a sophisticated malware arsenal. The centerpiece of this campaign is a novel backdoor dubbed Dindoor , which leverages the Deno JavaScript runtime for execution, marking a significant evolution in the gr

Executive Summary The recent deployment of OpenAI Codex Security has marked a significant milestone in automated vulnerability discovery, with the platform autonomously scanning over 1.2 million code commits and identifying 10,561 high-severity issues, including 792 critical vulnerabilities, across a spectrum of widely used open-source projects. This unprecedented scale of automated code review has exposed latent risks in foundational software components such as GnuPG , GnuT

Executive Summary On February 18, 2026, the French Ministry of Economy publicly disclosed a significant data breach affecting approximately 1.2 million bank accounts in France. The breach was enabled by the compromise of an official’s credentials, which allowed a malicious actor to access the FICOBA national bank account database. The exposed data includes bank account numbers, account holder names, addresses, and, in some cases, tax identification numbers. No access to acc

Executive Summary Figure Technology Solutions, a prominent blockchain-based financial technology company, experienced a significant data breach in February 2026, resulting in the compromise of nearly 1 million user records. The breach was executed through a sophisticated social engineering attack, specifically a voice phishing (vishing) campaign, which enabled attackers to obtain an employee’s credentials and multi-factor authentication codes. This access allowed the threat a

Executive Summary Publication Date: February 19, 2026 The emergence of PromptSpy marks a pivotal moment in the evolution of Android malware, as it is the first known threat to leverage generative AI—specifically Google’s Gemini model—to automate persistence and evade removal. Discovered by ESET researchers, PromptSpy demonstrates how attackers can harness advanced AI capabilities to adapt to diverse device environments, automate complex UI interactions, and resist traditi

Executive Summary A sophisticated Android banking malware campaign is currently propagating through fake IPTV applications, distributing the Massiv banking trojan and targeting mobile banking users across Southern Europe, with a particular focus on Spain, Portugal, France, and Turkey. The attackers exploit the widespread demand for unofficial IPTV streaming services, enticing users to sideload malicious APKs from untrusted sources. Once installed, these counterfeit IPTV app

Executive Summary The CRESCENTHARVEST campaign represents a highly targeted and technically advanced cyber-espionage operation, focusing on supporters of the ongoing protests in Iran. This campaign utilizes sophisticated social engineering, protest-themed lures, and a custom Remote Access Trojan ( RAT ) to achieve persistent surveillance, credential theft, and exfiltration of sensitive data. The threat actors behind CRESCENTHARVEST employ advanced tactics such as DLL sidelo

Executive Summary Since July 2025, exploitation of zero-day vulnerabilities in Ivanti products has surged, with sophisticated threat actors targeting Ivanti Connect Secure , Ivanti Policy Secure , and Ivanti Neurons for ZTA Gateways . These attacks leverage previously unknown flaws to achieve remote code execution, persistent access, and lateral movement within enterprise environments. The campaign has been traced to multiple high-profile incidents across Europe, affecting c

Executive Summary CVE-2026-26119 is a critical privilege escalation vulnerability affecting Microsoft Windows Admin Center , a browser-based management platform for Windows servers, clusters, and hybrid environments. This vulnerability, discovered by Andrea Pierini of Semperis and patched by Microsoft in version 2511 (December 2025), enables an authenticated attacker to escalate privileges over a network, potentially resulting in full domain compromise. Microsoft has clas

Executive Summary Publication Date: January 19, 2026 The release of ETSI EN 304 223 marks a pivotal advancement in the field of AI cybersecurity, establishing the first globally applicable European Standard for securing AI models and systems. This standard introduces a comprehensive, lifecycle-based approach to AI security, addressing the unique risks and challenges posed by modern AI technologies, including deep neural networks and generative AI. By setting baseline securit

Executive Summary Publication Date: 15 January 2026 The European Telecommunications Standards Institute (ETSI) has published ETSI EN 304 223 , a groundbreaking European Standard (EN) that establishes baseline cybersecurity requirements for artificial intelligence ( AI ) models and systems. This standard introduces a lifecycle-based framework for developers, vendors, and operators, addressing unique AI threats such as data poisoning and prompt injection. By setting clear, act

Executive Summary The Shai-Hulud 2.0 supply chain attack represents a critical escalation in cloud-native ecosystem threats, leveraging malicious modifications to hundreds of widely used npm packages to compromise developer environments, CI/CD pipelines, and cloud-connected workloads. Attackers exploited the npm package supply chain by injecting malicious scripts into the preinstall phase, enabling credential harvesting and exfiltration before security controls could interv

Executive Summary IBM has issued a critical security advisory regarding a severe vulnerability in its API Connect platform, identified as CVE-2025-13915 . This vulnerability enables remote, unauthenticated attackers to bypass authentication controls, granting them unauthorized access to sensitive management interfaces and APIs. With a CVSS v3.1 base score of 9.8 (Critical) , this flaw represents a significant risk to organizations leveraging IBM API Connect for API managem

Executive Summary The RondoDox botnet has rapidly emerged as a significant threat to organizations leveraging Next.js and React Server Components , exploiting the critical React2Shell vulnerability (CVE-2025-55182). This pre-authentication remote code execution (RCE) flaw enables unauthenticated attackers to execute arbitrary code on vulnerable servers via a single HTTP request. Since early December 2025, threat actors have orchestrated large-scale, automated exploitation

Executive Summary IBM has issued a critical security advisory regarding a severe authentication bypass vulnerability in IBM API Connect , identified as CVE-2025-13915 . This vulnerability enables remote, unauthenticated attackers to circumvent authentication controls and gain unauthorized access to sensitive API management functions. With a CVSS v3.1 base score of 9.8 (Critical) , this flaw poses a significant risk to organizations leveraging IBM API Connect for enterprise

Executive Summary The European Space Agency (ESA) has confirmed a cybersecurity breach affecting a small number of external servers used for collaborative engineering activities. The incident, first reported on December 26, 2025, and publicly acknowledged by ESA on December 29 and 30, 2025, involved unauthorized access to servers outside the core ESA corporate network. The threat actor, using the alias “888,” claims to have exfiltrated over 200GB of data, including source co

Executive Summary The emergence of the ErrTraffic service marks a significant escalation in the industrialization of ClickFix attacks, leveraging fake browser glitches to deceive users into executing malicious commands. This report provides a comprehensive analysis of the technical, security, and supply chain implications of ErrTraffic , synthesizing findings from authoritative sources including BleepingComputer , InfoStealers , and the Microsoft Security Blog . The report

Executive Summary The emergence of the RondoDox botnet campaign marks a significant escalation in the exploitation of unpatched XWiki servers, leveraging known vulnerabilities to conscript these systems into a rapidly expanding botnet infrastructure. XWiki , a widely adopted open-source enterprise wiki platform, has become a high-value target due to its prevalence in knowledge management and collaboration environments across diverse sectors. The RondoDox threat actor explo